Portable computing devices such as smart cards can be used by users for various traditional purposes such as shopping at a grocery store, or gaining entry to a secured building. As they become more powerful than before in terms of computing power and memory capacity, the portable computing devices can be used for more expansive purposes. For example, a portable computing device may be equipped with a web server capable of processing requests from remote clients using HyperText Transfer Protocol (HTTP). Through the web server, the portable computing device may interact with a variety of clients including ones enabling payment for online shopping. Such a client may be an HTTP client application located in an American Express™ machine somewhere on a network to which both the portable computing device and the American Express™ machine are connected.
A disadvantage of the remote processing techniques is that they typically only authenticate clients. An unauthorized user can use a stolen portable computing device and deliberately cause it to interact with a trusted remote client. In that interaction, the remote client would be able to present correct credential information for itself along with a request for accessing a protected resource on the portable computing device. The remote processing functionality on the portable computing device would successfully authenticate and authorize the remote client. As a result, the unauthorized user can successfully use the trusted remote client to gain access to, and tamper with, the protected resource on the portable computing device.
Therefore, since the existing techniques are not as useful in preventing an unauthorized user from gaining access to protected resources on a portable computing device through a trusted remote client, an improved scheme which would enable such prevention is needed.